You need to talk to your QSA, our QSA is great because we can ask him questions anytime and he doesn't charge for each question we ask. He helps us make decisions about our products that eases the recertification process. We only pay every 3 years for our PCI PA-DSS certification. It is well worth the investment! We know we are offering solid PCI PA-DSS solutions to our customers.
As I understand it, you are responsible to keep your backups very secure, and dispose of the backups in a secure manner (bulk eraser for tape backups?). For disk backups, you should encrypt the backup and securely delete when you no longer have a need. You should have an auditable means of tracking access to your backups, especially if it is easy to take the backup off-site. I don't believe you are required to restore the backup, encrypt the data, then cut a new backup. One word of caution, make sure you have the encryption key secured for the backups. When it comes to credit cards, it is best to always error on the side of caution. The consequences if you lose data is huge for you and your customers. Good luck, PCI is real "fun"! Tom RATEX Business Solutions -----Original Message----- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Wjhonson Sent: Wednesday, April 18, 2012 5:27 PM To: firstname.lastname@example.org Subject: [U2] Credit Card numbers in your database Probably every company has gone through adding more stringent rules to the use of credit cards in your database. But surely no one has actually gone back to their old backups to "cleanse" them ? Does anyone think that's really part of the PCI DSS we're supposed to be following? We have backups going back umpteen years _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users